Mar 9, 2015

Following the results of joint investigative efforts from Bluebox Security and Xiaomi smartphone manufacturer, it has been discovered that unofficial retailers in China sell very convincing versions of the popular Mi4 mobile phone.

Last week, researchers at Bluebox Security published a highly non-flattering security report for the device after noticing that it came with adware and malware pre-installed, and that root access was already available. The trust score achieved by the device was a meager 2.6.

Verifying authenticity was not an easy task

Given the reputation of the Chinese vendor, Bluebox researchers suspected that they might have gotten their hands on a fake and verified the authenticity of the device. However, reaching a truthful conclusion was not possible due to the various false leads planted by the crooks. Relying on CPU-Z for hardware benchmarking and on Xiaomi’s own Mi Identification app (anti-fake software) to determine the authenticity of the device, the researchers concluded that they had a genuine product. This was enforced by the physical hardware identifiers, which indicated the real McCoy.

However, it appears that the cybercriminals went to great lengths to cover any sign of the deceit and rigged the device with modified copies of the benchmarking software and the anti-fake app. These would automatically replace the real apps should the user want to check the device, so the results of the test would not be accurate. Discovering the fake Mi4 smartphone was not an easy process, as it involved scrutiny of the hardware internals from Xiaomi experts and checking the IMEI number and the version of the Android operating system.

“The level of detail this counterfeit went to look like and act like the real thing was rather extraordinary. It has the same internal structures, battery and labels on the components that are commonly used by people online to determine the authenticity of a device if it’s not powered on,” says Andrew Blaich of Bluebox in an update to the initial report. The steps needed to establish the counterfeit nature of the device are more than what a regular user would normally go through. When evaluating the security of the original Android provided by the Chinese manufacturer, Bluebox obtained a better score, of 6.7, which may be further improved in the future.

Other brands are also impersonated

Xiaomi said via email that its MIUI (Android-based firmware) powering all Xiaomi devices follows the Android Compatibility Definition Document and passes all compatibility tests, making it suitable for the international market. The official statement received from the company also draws attention to the fact that the Chinese black market makes available counterfeit products that are almost indistinguishable on the outside. “This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China,” Xiaomi said.

Spending money on a non-original product and then getting ripped off once more through malicious apps that come with the device can be avoided if the product is purchased only from official retailers. In the case of Xiaomi products, the company representative said that apart from the official website, genuine products can generally be purchased from mobile operators. Tmall is also on the list of official distributors.

Xiaomi Mi4, Users should purchase the phone only from official retailersImage credits to Xiaomi